[Webkit-unassigned] [Bug 202910] New: Chromium test-case asserts with ASSERTION FAILED: hasLayer()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Oct 13 14:32:01 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=202910

            Bug ID: 202910
           Summary: Chromium test-case asserts with ASSERTION FAILED:
                    hasLayer()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Scrolling
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: emilio at crisal.io

On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build.

Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/css/sticky/sticky-table-col-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f

Asserts with:

ASSERTION FAILED: hasLayer()
../../Source/WebCore/rendering/RenderBoxModelObject.cpp(563) : WebCore::LayoutSize WebCore::RenderBoxModelObject::stickyPositionOffset() const
1   0x7f9ceb98a3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f9ceb98a3d3]
2   0x7f9cf76335f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f9cf76335f2]
3   0x7f9cfa7d9874 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject20stickyPositionOffsetEv+0x52) [0x7f9cfa7d9874]
4   0x7f9cfa7d995a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject23offsetForInFlowPositionEv+0x46) [0x7f9cfa7d995a]
5   0x7f9cfa7c8682 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19offsetFromContainerERNS_13RenderElementERKNS_11LayoutPointEPb+0x9e) [0x7f9cfa7c8682]
6   0x7f9cfa7c7ffd /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19mapLocalToContainerEPKNS_22RenderLayerModelObjectERNS_14TransformStateEjPb+0x279) [0x7f9cfa7c7ffd]
7   0x7f9cfa93dca9 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore12RenderObject15localToAbsoluteERKNS_10FloatPointEjPb+0x5f) [0x7f9cfa93dca9]
8   0x7f9cfa833151 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement16getLeadingCornerERNS_10FloatPointERb+0x8b) [0x7f9cfa833151]
9   0x7f9cfa8339ad /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement18absoluteAnchorRectEPb+0x53) [0x7f9cfa8339ad]
10  0x7f9cf9a6142c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore7Element14scrollIntoViewEON3WTF8OptionalINS1_7VariantIJbNS_21ScrollIntoViewOptionsEEEEEE+0x74) [0x7f9cf9a6142c]
11  0x7f9cf873e440 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6e6440) [0x7f9cf873e440]
12  0x7f9cf8754da2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6fcda2) [0x7f9cf8754da2]
13  0x7f9cf873e473 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore40jsElementPrototypeFunctionScrollIntoViewEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f9cf873e473]
14  0x7f9c95fce16b [0x7f9c95fce16b]

This also crashes Epiphany (and probably Safari).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191013/80fc0b3d/attachment-0001.html>

More information about the webkit-unassigned mailing list